Analysis
-
max time kernel
7s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
21/12/2022, 21:39
General
-
Target
5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2.exe
-
Size
24KB
-
MD5
81dd5baf5b454f488ee21078167156c0
-
SHA1
f678e4e1a992e00c99b859efdb3ee4c28bb1be15
-
SHA256
5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2
-
SHA512
e56276700c5e21aeb26c2e0c3935b5afb2c9d37950c3551f0d146abe18764e54af3c51accc0ea4f377874e7133d8bd2c3bc8ea13274fbf2f03afb00558c17d98
-
SSDEEP
192:H5V5w/Pr9rzr3YnwiEKMTNvV/rzNEiILi+qIUoynhS7Lnv:Vw/jpHowiUTN9/wXqdLSPv
Malware Config
Signatures
-
UAC bypass 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2.exe"C:\Users\Admin\AppData\Local\Temp\5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:/Users/Public/Documents/2022060128.vbe2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060128.vbe"3⤵
-
-
-
C:\Users\Public\Documents\12556.exeC:/Users/Public/Documents/12556.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2.exe"C:\Users\Admin\AppData\Local\Temp\5b206d86af44eae9e701520b56cb16a33eda0db8f5806ea98c204dd36624a2f2.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:/Users/Public/Documents/2022060128.vbe2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060128.vbe"3⤵
-
-
-
C:\Users\Public\Documents\12556.exeC:/Users/Public/Documents/12556.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5b1bce2364eff618b5b2fbf637f694eb6
SHA1b7972db20b7ab7a0be0d663a94bcce3d5b192112
SHA25645fe14e525ca456b0cdc00c098901c5e37c916a78158864056ef3761e329ad4e
SHA512609bb52048805b754b86bd7835684f7e35c24d540f83b24e98f4cd29db47d79b346e22e5a5645c6182cb55e5576a64b39776e2ee120bb6b4fb3072f7cf5ac818
-
Filesize
28KB
MD5b1bce2364eff618b5b2fbf637f694eb6
SHA1b7972db20b7ab7a0be0d663a94bcce3d5b192112
SHA25645fe14e525ca456b0cdc00c098901c5e37c916a78158864056ef3761e329ad4e
SHA512609bb52048805b754b86bd7835684f7e35c24d540f83b24e98f4cd29db47d79b346e22e5a5645c6182cb55e5576a64b39776e2ee120bb6b4fb3072f7cf5ac818
-
Filesize
28KB
MD5b1bce2364eff618b5b2fbf637f694eb6
SHA1b7972db20b7ab7a0be0d663a94bcce3d5b192112
SHA25645fe14e525ca456b0cdc00c098901c5e37c916a78158864056ef3761e329ad4e
SHA512609bb52048805b754b86bd7835684f7e35c24d540f83b24e98f4cd29db47d79b346e22e5a5645c6182cb55e5576a64b39776e2ee120bb6b4fb3072f7cf5ac818
-
Filesize
28KB
MD5b1bce2364eff618b5b2fbf637f694eb6
SHA1b7972db20b7ab7a0be0d663a94bcce3d5b192112
SHA25645fe14e525ca456b0cdc00c098901c5e37c916a78158864056ef3761e329ad4e
SHA512609bb52048805b754b86bd7835684f7e35c24d540f83b24e98f4cd29db47d79b346e22e5a5645c6182cb55e5576a64b39776e2ee120bb6b4fb3072f7cf5ac818
-
Filesize
177B
MD595f6e14e559ebc7dd4b418df2715247b
SHA143feebda1d47a382e23de6482d9e1005e70da65e
SHA256f1eee0c5160f626d70142520b285475f515a6d646c5340dcbe31369fad77e883
SHA5120048e4dab0c5951437bb1083206a1813ae9f07bfcf5be5675b08c591394e7ebcd3032236cdcfe0b251c1e3e2fb7463c4640370357e18d01533079e363999cf99
-
Filesize
177B
MD595f6e14e559ebc7dd4b418df2715247b
SHA143feebda1d47a382e23de6482d9e1005e70da65e
SHA256f1eee0c5160f626d70142520b285475f515a6d646c5340dcbe31369fad77e883
SHA5120048e4dab0c5951437bb1083206a1813ae9f07bfcf5be5675b08c591394e7ebcd3032236cdcfe0b251c1e3e2fb7463c4640370357e18d01533079e363999cf99
-
Filesize
1.5MB
MD5a2c748720adb4b991db2a8e64f758412
SHA19d4457cdcc6964dd96fe2270686ac745726ce542
SHA256ca26ba7099c5986db62a5292ad7d73260507315cb91d221a51ee541deab3ce96
SHA512fefe74dc89c8ff5c5ff643b81d7f82134764e25caff819fb756b40fb7afc2d50a392429cb442bce55d446e27bdd5094dd7cb1e94d43f4c52e524b65e76519417
-
Filesize
1.5MB
MD5a2c748720adb4b991db2a8e64f758412
SHA19d4457cdcc6964dd96fe2270686ac745726ce542
SHA256ca26ba7099c5986db62a5292ad7d73260507315cb91d221a51ee541deab3ce96
SHA512fefe74dc89c8ff5c5ff643b81d7f82134764e25caff819fb756b40fb7afc2d50a392429cb442bce55d446e27bdd5094dd7cb1e94d43f4c52e524b65e76519417
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
1KB
MD5a0f63fb66b28ebb350ec2d349e2d227b
SHA12d4c88e3b973d2f43c7c5246cb03bbbda3030a6b
SHA2569754145aa75a07444aeeb0ef3a7acdeb2254edf1212cb9b3b52c633e7ae0c1e9
SHA5126c69f1788b0ea7979d0462de84f336edd9c0b80e8c33a724079c33f5c10f87bce29b34b8aebc20011def6ee93b827ccfded73f55bbcc521da842d76476a89e2a
-
Filesize
1KB
MD5a0f63fb66b28ebb350ec2d349e2d227b
SHA12d4c88e3b973d2f43c7c5246cb03bbbda3030a6b
SHA2569754145aa75a07444aeeb0ef3a7acdeb2254edf1212cb9b3b52c633e7ae0c1e9
SHA5126c69f1788b0ea7979d0462de84f336edd9c0b80e8c33a724079c33f5c10f87bce29b34b8aebc20011def6ee93b827ccfded73f55bbcc521da842d76476a89e2a
-
Filesize
1.6MB
-
Filesize
3.9MB
-
Filesize
1.6MB
-
Filesize
3.9MB